An Application Programming Interface (API) is an interface that is provided to use certain data and functions from an external application system, and the API is created and disclosed by a data provider or a function developer. At present, it is a common procedure to disclose APIs in the form of a Web API that can be accessed by a HyperText Transfer Protocol (HTTP).
In recent years, in order to improve the convenience and safety of providing APIs, a type of product referred to as “API gateway” has been released. The API gateway is introduced to a backend server (an application server) that provides an API in the form of a reverse proxy to manage provision of the API. Users of APIs such as developers of external applications or systems use disclosed APIs via the API gateway, thereby developing new products and improving functions of existing products. It is considered to be important that, in the future, companies create new values by connecting their products, businesses, data, and the like to many companies and individuals. The API gateway has been attracting attention as a technique for promoting this object.
The API gateway has various functions for utilization of APIs (mainly Web APIs) by API users. Specifically, the API gateway provides an API key as an ID for authenticating and identifying an application to each application. With the API key, for each application, the API gateway manages URIs, parameters, and the like of APIs, controls an upper limit (a rate limit) of the number of accessible times in each unit time and access ranges for each API, and performs recording and analysis of statistical information on the number of calls and the like.
In recent years, as a rate-limit setting method of APIs, there has been proposed a control method for setting a rate limit according to the priority of applications and data. In the proposed control method, a priority is derived for each time period by using prediction algorithms while taking thresholds defined in advance into consideration. Conventionally, there has been proposed a method for detecting user's malicious operations according to the matching degree between an operation log and a legitimate log of a client PC.
Meanwhile, there has been a demand for business streamlining by API utilization in existing business systems using an API gateway. In the API utilization in existing business systems, there is a case where, depending on the original system design, API access with a unique procedure is provided to an application. In this case, depending on the access procedure of the corresponding API, there is a possibility that a system failure is caused.
Furthermore, there is a case where, after an API key is issued to an application, the application is updated so that the access procedure of the application is changed. This case is, for example a case where the updated application erroneously accesses an API with an unrecommended procedure because the updated application contains a bug due to the update.
Further, there is also a possibility that an API is used with the same API key by another application having a different access procedure. In other words, it is a case where the API key is used by an application with a malicious intent. In this case, with the application with a malicious intent, there is a risk of usage of data and functions that may cause damages on the corresponding API provider.
However, the related methods are systems for deriving the priority between applications and data in order to set a rate limit. Therefore, with these methods, it has been difficult to detect applications that may have been updated or used with a malicious intent and may cause damages on the system. Accordingly, with these related methods, because applications that may have been updated or used with a malicious intent can access APIs, there has been a problem that it is difficult to protect the data and functions provided with an API from the applications that may have been updated or used with a malicious intent. Although the technique described in Japanese Laid-open Patent Publication No. 2009-20812 can detect user's malicious operations, with this technique, it is difficult to detect applications that may have been updated or used with a malicious intent.